|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
(speaking for myself) On Wed, 2012-06-20 at 09:49 +0100, Jan Beulich wrote: > > 14. Early consideration of which other organisations to bring in > > > > Our process needs to have, very early on, an explicit step to of > > deciding which other projects/organisations may also be vulnerable and > > may therefore need to be part of the same disclosure process. It also > > needs to make sure that we ask for any help (for example from > > upstreams or hardware vendors) as soon as possible. > > Our security response team should only take our projects into > consideration. Cross project vulnerabilities should be managed > by entities set up to deal with this. I'm generally of the same opinion -- if/when we discover that the impact of an issue is wider than Xen instead of continuing to drive the process forward ourselves we should "escalate" to an entity which is setup to deal with such cross-project vulnerabilities. What are the options here? CERT would be one, I'm sure there must be others. We should probably pick one which has policies we are happy with. Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |